Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 Oct 2013, 22:44
michelle86 michelle86 is offline
 
Join Date: Jan 2010
Question HELP! forum hacker somehow creating admin accounts

Since mid September someone has been trying to hack my site.

This person has tried creating multiple admin accounts. I'm not sure how he is able to create the accounts (it isn't recording an IP address or anything).

I have the first username he tried, and when I google it, I find other sites he has hacked. Their main pages are wiped and he has his name in big font and a scrolling message at the top saying the site has been hacked and things like, "Islam is the way of life." And most often awful music playing.

He has since tried creating several other admin account names.

My admincp, is not located at mysite.com/admincp.php - I have renamed it a long time ago to prevent hackers from uploading files into the admincp (I'm not sure if this has been the reason why he hasn't been able to mess up my site - it would make sense if it is a robot that is doing it).

My site is hosted on bluehost.

Does anyone have any idea where he is getting in and registering the admin accounts? How do I stop this before he really gets in and ruins my site?

Any help is appreciated!
Reply With Quote
  #2  
Old 10 Oct 2013, 22:47
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?
__________________
Reply With Quote
  #3  
Old 10 Oct 2013, 22:49
tbworld tbworld is offline
 
Join Date: Oct 2008
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
  #4  
Old 10 Oct 2013, 23:11
michelle86 michelle86 is offline
 
Join Date: Jan 2010
Originally Posted by Digital Jedi View Post
Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?
Thank you! Just deleted it. Totally missed the announcement in the admincp.

I hope this solves it.
Reply With Quote
  #5  
Old 10 Oct 2013, 23:14
tbworld tbworld is offline
 
Join Date: Oct 2008
Sorry you were hacked. I hope it solves it to.
Reply With Quote
  #6  
Old 10 Oct 2013, 23:22
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Just deleting the install directory won't solve the issues, you need to follow the links that tbworld posted as well.
Reply With Quote
  #7  
Old 11 Oct 2013, 00:20
michelle86 michelle86 is offline
 
Join Date: Jan 2010
Yes, I already changed passwords and I'm going through and deleting files they added (found a bunch in the clientscript directory). I just hope that deleting the install directory will close the backdoor that was letting someone come in and do all this.
Reply With Quote
  #8  
Old 11 Oct 2013, 00:39
tbworld tbworld is offline
 
Join Date: Oct 2008
Make sure you follow the guidelines completely, be thorough and take your time. If you can do backups after every step, do so. If you have any questions please ask, most of us try to help others if we can.
Reply With Quote
  #9  
Old 11 Oct 2013, 08:38
DoubleGlasses DoubleGlasses is offline
 
Join Date: May 2008
((hugs)) Michelle

I'm still dealing with this chaos and am in your exact same boat. They are completely right - there's a lot more to fixing this issue than deleting the install folder.

Also - one thing that I think ( can't say absolutely for sure ) that might not have been in those guides - but I added another layer - using htaccess to restrict access to my admincp folder as well. This would prevent them from even being able to log in and use their admin accounts through the admincp. Of course the password file sits above the public folder.

Oh and my attack happened around the same time as yours.
Reply With Quote
  #10  
Old 11 Oct 2013, 08:43
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Password protecting the folders is part of the guides
__________________
Looking for ImpEx?
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 10:39.

Layout Options | Width: Wide Color: